The portion of the mail that starts out "Greetings" is what we
originally sent to him.

From: "Peyton T. Collie" (pcollie@lore.net)
To: "'hacked[at]attrition.org '" (hacked[at]attrition.org)
Date: Mon, 30 Apr 2001 16:49:21 -0400
Subject: RE: Urgent! Security incident on your machine! www.webmajestics.c om
Greetings?
Your firm illegally hacked and damaged our servers, costing our clients
money. We are seeking legal action and you have been reported to all major
players in the security, legal and governmental arenas. In addition we are
filing complaints with the BBB, and any and all legal related firms to
notify them of your activities!
We do not take this lightly!
Greetings.
You are being contacted because you are listed as an Internic
contact for the domain referred to.
Attrition.org is a non-profit, hobby web site that monitors
computer crime on the internet. In the past few minutes, we
have been notified that your domain was hacked, and your web
page defaced. This means that the intruder has edited your
web page in some way. Due to this, it is quite likely that
one or all of the machines on your network are compromised.
You may wish to take immediate action to correct this problem
and respond to the intrusion.
One of the free services attrition.org offers is mirroring defaced
pages to aid in statistics on computer crime. The various archives
of information we maintain is used by security professionals and
law enforcement every day. We comply with all law enforcement
subpoenas for information related to the intrusion; however, for
the purposes of fairness in reporting, we do not reveal the
identities of defacers other than as shown on the defaced web page.
Attrition offers free security advice and assistance to sites
experiencing trouble. We can also recommend unaffiliated security
companies should you feel the need for more extensive analysis;
please mail staff[at]attrition.org, and we'll be happy to help.
We are not a security company and have no product or service to
sell.
We'd also like to assure you that we had no advanced knowledge
of the intrusion. Any reference to attrition.org in your logs
is due to our mirroring utility. Any greeting or reference to
Attrition on the actual web page is beyond our control. You are
one of over three thousand administrators we have contacted in
this manner.
Attrition has already notified the appropriate CERT teams that
would be interested in this incident. Despite this, you should
still contact the appropriate CERT with followup information.
They can provide recommendations for recovering and dealing with
this incident.
If you receive any additional mail from a security company or
vendor, we'd like to state up front that we are in no way
affiliated with them. We have found out that some security
companies prey on victims of web defacement to solicit their
products or services. If you receive such mail, please forward
the full text with headers to us so that we can confront them.
Please feel free to mail us if you have any questions or would
like assistance.
For more on security and incident response:
http://ciac.llnl.gov
For more on computer forensics and preservation of evidence:
http://www.forensics-intl.com/info.html
http://www.nwo.net/null/recovery.html
For the latest on vulnerabilities and good security practice:
http://www.securityfocus.com
Hardening WindowsNT4
http://www.networkcommand.com/NTSEC/paranoid.html
Contacting Law Enforcement
http://www.fbi.gov/contact/fo/fo.htm
The Attrition Mirror:
http://www.attrition.org/mirror/
Security Advisory Archive:
http://www.attrition.org/security/advisory/
For the latest on computer crime and news:
http://www.hackernews.com/
Contacting us:
staff[at]attrition.org